Front-end
--no reason to hide .js files as we are open source
----however, might be useful to add certificates/signing to make sure javascript file that is being run is *our* file, not some other weird version
--need state based security in back end
--need to determine login (oauth, ssl?)
----X-site scripting
Back-end
--state based security
--encryption of database
--logging
Existing problems
--read openmrs security audit
Logging
--does openmrs already have a system in place?
--put in a log file or in database? need to be able to search + audit, but don't want it to slow down our system